AFFECTED: Users of USPS Online BillPay Service. It is unknown whether other checkfree portals are vulnerable to the same problem. OVERVIEW: Failed username/password results in plain-text return of submitted password. If the USERNAME was the incorrectly typed piece, this will result in a plain-text version of the user's password to be retrievable using the 'VIEW SOURCE' browser option. DESCRIPTION: The USPS Online BillPay service utilizes a username/password combination for access to their service. Users enter their username/password to gain access to their account. If a user mistypes the username or password, a pre-filled out form is returned to the user which INCLUDES the password that was entered on attempt. IMPACT: If the user mistyped the username but correctly types the password, the plain-text password is returned to the browser and is viewable by using the back button and the "view source" option of the browser. SOLUTION: END-USER The only known workaround is to configure the browser to not cache pages at all. This will prevent the ability to use the "back" button, however, if the returned page is on the screen, using "view source" may still display the information. VENDOR Re-code the application to not return the password in the "login-failed" form that is displayed. This should be a relatively easy solution. VENDOR NOTIFICATION USPS BillPay was first notified 1/1/2002 and given a "respond by" deadline of 1/17/2002. This notification occured from within their online customer care interface. Complete and accurate contact information was included. When no response was obtained, a second notification was sent on 1/16/2002 with an extension until 00:00 1/19/2002 -- at which time this information would be posted to BUGTRAQ. The original message (including complete contact information) was included. VENDOR RESPONSE: None to date. Matthew Dent dentm@yahoo.com __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
